Pokémon GO Shines a Light on the Dark Art of GPS Spoofing

Pokémon GO, the wildly popular augmented-reality game, has thrust the dark art of GPS spoofing into the limelight. But what exactly is spoofing, and who should be worried about it?

Pokémon GO only launched a few days ago, but its makers are already having to deal with an army of determined “spoofers”, according to an article in Motherboard.

These are people who are cheating to get ahead in the smartphone-based game by interfering with its GPS-based geolocation functions.

Pokémon GO is an augmented reality game which sends players to real-life locations to capture virtual Pokémon characters or do battle with other players. The characters are located at specific GPS co-ordinates - from supermarkets and cafés to churches and riverbanks.

The problem for lots of players is that there are no Pokémon characters located near them – or not enough of the coveted rare ones. Others prefer to catch Pokémon from the comfort of their own sofa. So, rather than put in the legwork, they’re resorting to a technique known as location spoofing.

What is location spoofing?

Spoofing is the art of fooling a location-aware electronic device into believing it is somewhere different from its actual physical location. It can be done in a variety of ways; some trivially easy, some relatively hard.

If you have an iPhone or Android phone, for example, you don’t have to search online for very long to find step-by-step instructions on how to over-ride the GPS locator and instead tell the phone you are at a completely different location.

For a Pokémon GO player, that’s handy if you live in upstate New York but you really want to catch that fabled rare Pokémon in the Panama Canal. Or if you just don’t feel like going outside today.

Spoofing is not new – but methods are evolving

Location spoofing isn’t a new concept, and it isn’t all about GPS, either. In the days before streaming video, British expats in Europe were full of lore about how to fool satellite television companies into thinking their set-top boxes are in the UK, magically unlocking TV content intended only for a UK audience. Today, fans of overseas TV shows have learned to spoof their IP address to make their laptop or tablet appear as if it’s located in a country that’s legally allowed to access the content.

Using a fake location app on an Android phone, or a proxy IP address on a tablet, are examples of what we might call spoofing at the application layer. They involve tampering with the software that handles location, but they don’t involve any interference with the electronics that receive location data from a global navigation satellite system like GPS.

But it is also possible to spoof the GPS receiver itself, by feeding it a replica GPS signal that fools the receiver into thinking it’s located at the co-ordinates dictated by the “fake” signal. (The real signals from GPS are very weak, and can easily be overpowered by a stronger replica.) Any software that relies on this data input would then act on the “fake” position data rather than the “real” data from GPS. We might call this spoofing at the radio-frequency (RF) layer.

RF spoofing is now much easier than it was

Spoofing at the RF layer used to be extremely hard to do. It required expert knowledge of GPS signals, antenna patterns and signal processing algorithms. The would-be spoofer also had to have access to expensive, specialist equipment to generate and broadcast the replica signal.

While experiments demonstrated that RF spoofing was possible and potentially alarmingly disruptive (in one experiment, the spoofer was able to take control of a superyacht), the general feeling was that nobody would bother going to all the trouble and expense.

But that all changed in an instant last August, when two Chinese security researchers demonstrated at the DEFCON hacker conference that it’s possible to build a GPS spoofing device using a software-defined radio and freely-available source code – and no special expertise in GPS.

With their bargain-basement spoofer, the Chinese team showed they could remotely take control of a drone, a smartphone, and a car’s in-vehicle navigation system. For those (like me) in the audience, this was impressive – and alarming – stuff.

Those were controlled demonstrations, but there are also reports of RF spoofing being used in the real world. In December 2015, the US Department of Homeland Security reported that narcotics traffickers were spoofing techniques to disable border control drones. And there is a suggestion that in 2011, a CIA drone was captured in Iran using a GPS spoofing technique.

Essentially, there are few legitimate reasons to fake location, and many illegitimate ones. Even with something as innocuous-seeming as Pokémon GO, there are reports that criminals are exploiting its geolocation features to lure people to secluded places before attacking them.

Is time spoofing next?

The potential for criminal activity becomes even more apparent when you consider that GPS doesn’t just provide location co-ordinates, but is also the world’s #1 source of precise time.

Each GPS satellite carries atomic clocks, which broadcast a continuous, ultra-precise time signal to receivers on the ground. That precise time signal is used to coordinate activity across vast swathes of our critical infrastructure, including mobile phone networks, power grids, and financial trading systems.

Replica GPS signals, broadcasting a different timestamp from the real time, could have a significant impact on the smooth operation of those networks.

The risk of GPS time spoofing to critical infrastructure has increased to the point that in January 2015, a manufacturer of precise GPS clocks for electricity substations felt compelled to self-report a spoofing vulnerability in one of its models to the US Department of Homeland Security’s Industrial Controls Systems Cyber Emergency Response Team (ICS-CERT).

Protecting your business and products from spoofing attacks

As more software, services and infrastructure come to rely on accurate GPS time and position data, manufacturers of those services must be alert to the growing risk of spoofing – whether at the application or RF layer.

That means keeping abreast of the latest spoofing techniques, and conducting a thorough assessment to understand the risk to your customers, products and services. Once you have assessed the risk, you can draw up an action plan to address any vulnerabilities you uncover.

One word of warning: as last year’s DEFCON presentation and this year’s Pokémon GO craze has shown, spoofing is evolving quickly, as is general awareness of spoofing as a hacking technique and willingness to experiment with it. For this reason, I’d recommend conducting regular risk assessments, rather than just a once-and-done exercise. Spoofing is not going away, and is only going to get more widespread and more sophisticated.